Implement Full or Partial Disk Encryption for Data Protection
Encrypt all or parts of a drive to ensure data cannot be accessed without the correct permissions.
Plain language
This control is about using encryption to protect the information stored on your computer's drives. Encryption is like putting your data in a locked box - without the correct key, even if someone gets their hands on the box, they can't see what's inside. If you don't encrypt your drives, someone who steals your computer or gains unauthorised access could read your private information or sensitive business data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsTopic
Encrypting Data at RestOfficial control statement
Full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition, is implemented when encrypting data at rest.
Why it matters
Without disk encryption, lost or stolen devices expose sensitive data, risking data breaches and severe reputational damage.
Operational notes
Regularly verify recovery keys and escrow them securely; confirm FDE/partition encryption is enabled and cannot write to any unencrypted volumes.
Implementation tips
- Business owners should talk to their IT company or person to decide on the best way to encrypt their computer drives. They can use software that comes with most modern operating systems or purchase additional programs that meet the Australian Cyber Security Centre (ACSC) standards.
- The IT team should set up full disk encryption for all computers and devices used in the organisation. This means turning on the encryption feature in the device settings, which often involves creating a strong password or using a special encryption key.
- Managers should train all staff about the importance of encryption and how to use it correctly. This includes explaining that they should never disable encryption and they must keep their passwords private and secure.
- Procurement officers should ensure that any new technology purchased is compatible with encryption requirements. This involves checking product specifications or asking vendors directly if their devices support encryption.
- IT teams should create a backup plan for encrypted data to prevent data loss. This can be done by using secure cloud services that also encrypt data, or creating encrypted backups on external drives that are stored safely.
Audit / evidence tips
- AskThe encryption software configuration details: Request documentation that shows which encryption tool is being used and how it's configured GoodWill show that standardised encryption is applied to all devices used in the organisation
- AskThe training records related to encryption practices GoodIs records showing all staff were trained at least once a year, with clear topics covered
- AskThe device inventory list: Check the list for evidence that all devices are encrypted GoodWill show every device that can hold data is encrypted, with a responsible person named for compliance
- GoodWill track each purchase decision, showing consideration for encryption compatibility
- AskTo see the data backup plan GoodIncludes a documented procedure for regular encrypted backups with clear responsibilities and timing
Cross-framework mappings
How ISM-0459 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0459 requires implementing full disk encryption, or partial disk encryption where controls ensure data can only be written to the enc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.